Please ask questions only in this topic.

Re: Please ask questions only in this topic.

Post by brendanbeals on Sun Aug 30, 2009 9:22 am
([msg=28649]see Re: Please ask questions only in this topic.[/msg])

i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!
brendanbeals
New User
New User
 
Posts: 1
Joined: Sun Aug 30, 2009 9:17 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by eljonto on Tue Sep 08, 2009 4:35 am
([msg=29331]see Re: Please ask questions only in this topic.[/msg])

afrika wrote:Please help me "sigh"

Ok so I found the cgi query system and first tried using XSS, didn't work, so then i read up a little and found out about poison null bytes. Ok so what I need to do obviously is list the files within the parent directory.
I've tried

[Spoiler removed]

I have no idea wtf I'm doing and I can't really find a good explanation and the ones that I've seen, is exactly what I'm doing so I don't know what I'm doing =/


ok, go to the news section and click on a link, the url should look like: http://www.hackthissite.org/missions/re ... gi?story=1
ok, try changing the story value, what happens? what happens when you enter an invalid story value? error message can help. After analysing these, ask yourself how the script gets the storys, it takes the value of story and does what to it? So if you were to try and open another file or directory on the server, you'd need to stop the script adding a little something on and that's where the poison null byte comes in handy.... I really can't go any further without spoiling the exploit completely, so i'll leave it to you to mess around with it for a while

-- Tue Sep 08, 2009 7:40 pm --

brendanbeals wrote:i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!


This is easier than it looks, if you have perl installed, simply copy the functions into your own .pl file- modify it a little so you can input values and see the output, then just enter values until you get a key within the correct range. If you don't want to use perl (foolish choice ;) ) then just look at what the script chnages the characters to, look at the calculations performed on the characters and recreate this in another language of your choice and then do the same as i mentioned for perl.

Side note, if you are going to use perl for this, make sure you chomp() you input, otherwise an annoying newline character will screw up you key values
-Quis custodiet ipsos custodes?, Juvenal
_________________________________________________________________
User avatar
eljonto
Poster
Poster
 
Posts: 373
Joined: Thu Apr 17, 2008 1:16 am
Location: Australia
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by old_grizzly on Thu Sep 10, 2009 12:16 pm
([msg=29448]see Re: Please ask questions only in this topic.[/msg])

eljonto wrote:
afrika wrote:Please help me "sigh"

Ok so I found the cgi query system and first tried using XSS, didn't work, so then i read up a little and found out about poison null bytes. Ok so what I need to do obviously is list the files within the parent directory.
I've tried

[Spoiler removed]

I have no idea wtf I'm doing and I can't really find a good explanation and the ones that I've seen, is exactly what I'm doing so I don't know what I'm doing =/


ok, go to the news section and click on a link, the url should look like: http://www.hackthissite.org/missions/re ... gi?story=1
ok, try changing the story value, what happens? what happens when you enter an invalid story value? error message can help. After analysing these, ask yourself how the script gets the storys, it takes the value of story and does what to it? So if you were to try and open another file or directory on the server, you'd need to stop the script adding a little something on and that's where the poison null byte comes in handy.... I really can't go any further without spoiling the exploit completely, so i'll leave it to you to mess around with it for a while

-- Tue Sep 08, 2009 7:40 pm --

brendanbeals wrote:i have seen the source of m********.c**, but i do not know how to reverse engineer v****k*y() function?? Please help!


This is easier than it looks, if you have perl installed, simply copy the functions into your own .pl file- modify it a little so you can input values and see the output, then just enter values until you get a key within the correct range. If you don't want to use perl (foolish choice ;) ) then just look at what the script chnages the characters to, look at the calculations performed on the characters and recreate this in another language of your choice and then do the same as i mentioned for perl.

Side note, if you are going to use perl for this, make sure you chomp() you input, otherwise an annoying newline character will screw up you key values


Gday.

Any good pointers or examples for perl. Have been fooling around with strawberry for days playing with the code found in m********.cg*. and no luck. Is perl the only way or is there some php xss we could try. an example would be great.

Thanks

old_grizzly
old_grizzly
New User
New User
 
Posts: 3
Joined: Sat Aug 29, 2009 1:19 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by HoleSystem on Sat Sep 26, 2009 5:57 am
([msg=30122]see Re: Please ask questions only in this topic.[/msg])

I have seen the source of m********.c** and i reverse engineered v****k*y() function. Got valid key. Got hint for final step
and logged in as admin. ;)
Last edited by HoleSystem on Sun Sep 27, 2009 11:18 am, edited 1 time in total.
HoleSystem
New User
New User
 
Posts: 7
Joined: Fri Apr 18, 2008 5:16 am
Blog: View Blog (0)


The Reverse Engineering Part

Post by elcheapo on Sat Sep 26, 2009 8:15 am
([msg=30127]see The Reverse Engineering Part[/msg])

Guys, after getting the null byte tips, I went up to the m**.c** and found the v*** function. Reverse engineering it was the most fun part. =) My little python script gets a valid key in less than a minutes. Here is how I did it.
Lets say a key is abcd [a,b,c,d represents some variable ascii value]
now, sum0 = s0 = 0
s1 = a + s0 * 0 + s0 = a + s0 * (0 + 1) = a
s2 = b + s1 * 1 + s1 = b + s1 * (1 + 1) = b + (a) * (2) = b + 2 * a
s3 = c + s2 * 2 + s2 = c + s2 * (2 + 1) = c + (b + 2 * a) * (3) = c + 3 * (b + 2 * a)
s4 = d + s3 * 3 + s3 = d + s3 * (3 + 1) = d + (c + 3 * (b + 2 * a)) * (4) = d + 4 * (c + 3 * (b + 2 * a))

So, s4 is our final sum which must be such that:
some_lower_value < s4 < some_higher_value
This values are defined in the script.


#### First step: ####
Clearly, s4 is the information we have. Now we need to derive to a key from s4.
Now we step back:
d + 4 * (c + 3 * (b + 2 * a)) == s4
=> 4 * (c + 3 * (b + 2 * a)) == s4 - d
=> c + 3 * (b + 2 * a) == (s4 - d) / 4
Since 'c', 'b', 'a' all have discrete ascii values, Left Hand Side (L.H.S.) is an integer expression. To be L.H.S. == R.H.S. we need the R.H.S. to be an integer expression too! And that's the trick B). You need to find a 'd' such that "(s4 - d) % 4 == 0". Since valid values of 'd' are limited in number, after doing a little brute forcing through the char set, we can find our first candidate"s" (there can be multiple ones). For those values, we take separate paths and see which one meets the end.

#### Second step: ####
After finding possible 'd', we try to find 'c' in a similar manner.
3 * (b + 2 * a) == s3 - c [where, s3 == (s4 - d) / 4]
=> b + 2 * a = (s3 - c) / 3
Similar to the first step, hopefully, we will find some valid values of 'c' too. If no character satisfies the requirement "(s3 - c) % 3 == 0", then there is no hope for our path to reach destination, so we must abandon it. Else, we brach down again.

#### Last step: ####
After getting 'd', 'c', 'b', we are down to 'a'. Now, we must match "0 == (s1 - a)"=>"s1 == a". If you design recursive functions, be careful about this part!

Thus works this method. At least it takes a lot less time then blind brute forcing. One thing though, you will have to guess through possible key lengths. My python script starts from 1 and steps up higher. To find a maximum of 7 digit key with my intel celeron 420 1.6 GHz machine, it took (using unix "time" command) -
"
real 0m43.720s
user 0m39.738s
sys 0m0.056s
"
Hopefully I didn't spoil it too much. PM me if you need the python code. BTW, some of you guys didn't even bother about R. E. Is there any other way?

So, I got a valid key. Now what? Social engineering? I tried to connect to their chat service but the 'java applet' is broken. Is it 'that's how it is', or my system is misconfigured?
elcheapo
New User
New User
 
Posts: 5
Joined: Sat Sep 19, 2009 10:39 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by HoleSystem on Sun Sep 27, 2009 11:08 am
([msg=30152]see Re: Please ask questions only in this topic.[/msg])

elcheapo wrote:So, I got a valid key. Now what? Social engineering? I tried to connect to their chat service but the 'java applet' is broken. Is it 'that's how it is', or my system is misconfigured?

No, no and no...
secdef9 wrote:Go wild

Here's what executed my mind. :D
HoleSystem
New User
New User
 
Posts: 7
Joined: Fri Apr 18, 2008 5:16 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by arbunklish on Sun Sep 27, 2009 12:46 pm
([msg=30155]see Re: Please ask questions only in this topic.[/msg])

So I have got the a-page, a username and a password. Do I need do plant a cookie in order to get around the 404?
arbunklish
New User
New User
 
Posts: 2
Joined: Sun Sep 27, 2009 12:44 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by HoleSystem on Thu Oct 01, 2009 2:58 am
([msg=30302]see Re: Please ask questions only in this topic.[/msg])

WTF? Log in, man!
HoleSystem
New User
New User
 
Posts: 7
Joined: Fri Apr 18, 2008 5:16 am
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by arbunklish on Thu Oct 01, 2009 4:27 am
([msg=30303]see Re: Please ask questions only in this topic.[/msg])

Done... well, to easy to be true :oops:
arbunklish
New User
New User
 
Posts: 2
Joined: Sun Sep 27, 2009 12:44 pm
Blog: View Blog (0)


Re: Please ask questions only in this topic.

Post by Brandon1650 on Mon Dec 07, 2009 10:36 pm
([msg=31145]see Re: Please ask questions only in this topic.[/msg])

can anyone make sence of the robots.txt file.
Brandon1650
New User
New User
 
Posts: 3
Joined: Sat Nov 28, 2009 6:26 pm
Blog: View Blog (0)


PreviousNext

Return to (Real 14) Yuppers Internet Solutions

Who is online

Users browsing this forum: No registered users and 0 guests

cron